Derelict Administrator Accounts: A Millennium Falcon Problem

Many sysadmins have the same attitude towards the networks
they manage that Han Solo has towards the Millennium Falcon. The cardinal rule is
“if it is currently working, don’t mess with it.” That’s why Han Solo got angry
with Chewbacca for performing preventative maintenance in the Rebel Hangar on
Hoth. The ship was working and then Chewie started messing with it. Han knew
that pulling on any one thread could unravel the whole kit and caboodle.

There are a whole lot of loose threads that hang out about a
network that it is tempting to tug on. One such thread that many administrators
are reluctant to pull on is “removing the user accounts of Sysadmins who no
longer work at the organization”.

When I’ve asked audiences at TechED whether they’ve seen active
accounts for Systems Administrators that have moved on, I’d say that roughly
80% of hands go up. The main reason that people are reluctant to do anything
about these accounts is a fear that if they disable the account, something – a
script, a service, or something else in the entrails of the network
infrastructure will break. Better to let sleeping dogs lie, to not pull on a
thread that may unravel more trouble than it is worth. While we know ourselves
not to configure services and scripts to run using our own credentials, we
don’t trust the people that we work with to be so sensible.

It is the Millennium Falcon problem. Start working on the
landing gear and suddenly the Hyperdrive doesn’t work. We’ve all had a bad
experience when maintaining a network where we have started doing some routine
maintenance on one thing, only to have something else that seems unrelated fail
spectacularly. And lets face it: Most sysadmins have enough fires to put out
without worrying about pulling on threads that might start more.

So what can you do about the derelict accounts of former
sysadmins?

Audit them. If a domain admin account is being used to
support a script or service, it has to be logging on. You can run a query from
Active Directory Users and Computers to figure out which accounts haven’t
logged on recently. If you have someone who left more than a year ago but their
account isn’t on the list of accounts that haven’t logged on for more than 30
days you’ve certainly got an issue that you should investigate. If the account
is on the list of accounts that haven’t logged on for more than 30 days, then
you can be a little more confident that disabling the account, with a view to
eventual deletion, is unlikely to break the hyperdrive.

Are there any scenarios where an account can be used in which it doesn't require a log on? I've been told this by other administrators but I can't remember their rational. If so, what scenarios are there and what can be done to determine if an account is being used in this manner (a different event, etc???)